On Sa, Jul 20 2013, Jens Lechtenboerger wrote:
On Fr, Jul 19 2013, Gregory Maxwell wrote:
On Fri, Jul 19, 2013 at 10:03 AM, Jens Lechtenboerger
<[email protected]>
wrote:
but going much further than that may well decrease your
security.
How, actually? I’m aware that what I’m doing is a departure
from network diversity to obtain anonymity. I’m excluding
what I consider unsafe based on my current understanding. It
might be that in the end I’ll be unable to find anything that
does not look unsafe to me. I don’t know what then.
Because you're lowering the entropy of the nodes you are
selecting maybe all the hosts themselves are simply NSA
operated, or if not now, they be a smaller target to
compromise.
I don’t buy the entropy argument. If the NSA compromises Tor
nodes, wouldn’t they target as many nodes as possible,
regardless of guard selection strategies?
Note that I’m avoiding guards that they can monitor without
having compromised them.
Let me expand upon that one. Actually, I’d like to consider two
aspects separately: First, nodes may or may not be compromised.
If they are, they should not be used by anyone. Usually, we don’t
know, so we select randomly. Of course, everybody may have more
or less reason to trust individual operators or not—my previous
posts are unrelated to such reasoning. Second, the *path* to a
node may or may not be compromised. Depending on where you live
and where you connect to the Internet, different expectations
apply. This is the case I’m talking about. If I expect a path to
be compromised then I don’t want to use entry nodes that must use
that path. I don’t care whether those nodes are compromised or
not, they are out of scope. Note that based on this criterion,
I’m probably using different guard nodes when I connect to the
Internet
from different places.
To sum up: One-size-fits-all is not the best approach for node
selection.
So far, I’ve been arguing from a German perspective. Let’s change
that.
Assume that you live under an oppressive regime that monitors
everything in your own country, and you use Tor to anonymize your
communication. You must make sure that you always communicate via
foreign servers with your compatriots; otherwise, both ends of the
torified traffic are monitored in your country, and Tor fails.
You cannot avoid that your communication with your entry guard is
stored and analyzed. Now, if Tor’s standard path selection ever
chooses an exit node in your own country then also the exit’s
communication is stored and analyzed, and Tor fails. Thus, you must
avoid national exits. And you must avoid foreign exits with boomerang
routes into your own country. (It’s less obvious whether you should
avoid national guards. Although those are monitored in your country
they offer protection against foreign adversaries if you care about
them.)
Finally, if you did not do so already ;) please re-read the previous
paragraph and pretend that I wrote “democratic government” instead of
“oppressive regime.”
One-size-fits-all is not the best approach for node selection.
Best wishes
Jens
_______________________________________________
tor-talk mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
